Problem with security certificate

This is my environment:

Running Windows 7 with Firefox 33.0
Running two Ubuntu Linux servers
I am using a tool to manage the Linux servers called "Webmin"

Webmin is a tool running on Linux that is accessed via a web browser. This Linux server listens on a SSL socket at port 10000

Out of nowhere, I get an error message when connecting the browser to either of the Linux Webmin servers. The process goes like this:

In the browser URL I enter this:
The connections is refused with this message: Error code: sec_error_invalid_key

The servers are in the same room. I'm "clueless" how and why a certificate process is needed.

However, on another Windows 7 system also in the same room, the connection is completed error free.
Also, on this failing windows system, it matters not if Internet Explorer or Firefox tries to make the connection as both fail with a certificate error.

It is apparent to me that there is something in this Windows 7 gone wrong to  not allow two different browser brands to connect to two separate servers, whereas another physical windows box has no problem making these connections.

I have researched this in  blogs. The suggestion is to allow the exception by going into Firefox options->Advanced tab->Certificates->View->Server-> Add Exception. Then enter: I tried that, but get a message that nothing found.

Because this SSL connection is refused, and not browser specific, what and where on this particular Windows 7 system do I need to look to make this function again. Out of desperation, I uninstalled/reinstalled Firefox browser, of course no help.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Peter HutchisonSenior Network Systems SpecialistCommented:
Security certificates always use names and not IP addresses, so you should never use an IP address when connecting to a secure web site. Try
Dave BaldwinFixer of ProblemsCommented:
Webmin only runs with 'https' and a self-signed certificate.  Here's what I get when I try to login to Webmin.
Webmin Certificate MessageIf you're not getting that on the other computer, it's because you already accepted the security exception.
Dave BaldwinFixer of ProblemsCommented:
Also, since I upgraded Webmin recently, it may have generated a new certificate which would require accepting the security exception again.
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Dave BaldwinFixer of ProblemsCommented:
I just logged in with IE and Chrome and they are just as unwilling as Firefox because of the self-signed certificate.
RayRiderAuthor Commented:
I'm not given the opportunity of excepting any security exception. I am away at the moment.

In the past, I have seen offers to accept. Not now! The working PC shows the server certificate as This is not seen on the defective system.
Dave BaldwinFixer of ProblemsCommented:
As mentioned above by @Peter Hutchison, the certificate requires a name as shown above in my pic.  I don't know how you got it to work with an IP address since it's not supposed to.  Also you are showing 'http' rather than 'https' which is required with Webmin on my systems.  It won't let me login with an IP address or plain 'http'.

You should be getting the certificate error the first time you try to connect because it is a self-signed certificate.  That is the way it should work.
RayRiderAuthor Commented:
I am using https.a typo!
RayRiderAuthor Commented:
Back at it and have a little more information.

The working PC will connect to the Webmin host at: Therefore, I wanted to know what is in It's Firefox security certificates. I took a look at Firefox options->Advanced tab->Certificates->View->Server and see an entry at the very top of the list as:


So, I tried connecting to the other server at I get the page show by Dave Baldwin in the above post saying:

This connection is untrusted. I clicked on: "I choose the risks". Then the page that asks to store the exception. Now, when I go back to view the certificates in Firefox, the second server is now there.

The faulty Windows machine is faulty in how it responds without a certificate. It does NOT ASK ME to "choose the risks". It just "blows away" with an invalid certificate.

So, my question still is how do I configure Windows 7 to show the "untrusted site page"?

I did a regedit scan, looking for and came up with nothing. I am guessing that these certificates are not stored in the Registry. Does anyone know how these are handled?
RayRiderAuthor Commented:
A bit more research has lead me to find a windows tool called "certmgr.msc". Also Microsoft Technet is telling me that the certificates are indeed stored in the registry.

So, going to the working PC, I browse the output of "certmgr.msc" and the registry locations for the certificates. Still, I DO NOT FIND any certificates for my and .96 webmin server. I do see them in Firefox's certificate tab. There is much more to this that is not revealing a solution.

Looking for more suggestions, please while I continue to search for the answer. Thanks to all and any potential help!
Dave BaldwinFixer of ProblemsCommented:
I added my Linux computer to my 'hosts' file with their IP address and host name.  Like we said above, certificates are Not supposed to be found with IP addresses.  When I try to connect to my Webmin with an IP address, it tells me to use the host name and shows me a link for it.  Searching for certificates with IP addresses should not give you any results.  And Firefox, by the way, has it's own certificate storage separate from Windows.  IE and Chrome user the Windows certificate storage.
RayRiderAuthor Commented:
The other identical win 7 machine is displaying (Firefox certificates) with an IP address, and behaves normallly. Plus, this system has always show the certificate server with an IP address, and worked that way until whatever happened to stop it. But, for the sake of eliminating any questionable issues, I will place the hostname in the hosts file and see what gives whenever I get to the system to make the changes.
Dave BaldwinFixer of ProblemsCommented:
The other identical win 7 machine is displaying (Firefox certificates) with an IP address, and behaves normallly.
All I can tell you is that the version of Webmin (1.700) that I have on my machines will not accept a connection by IP address.  It requires me to use a host name and it puts up a link with the correct info.  

I looked in the Certificates list in Firefox and I see the IP addresses of my servers there along with the server names.  If I ever connected with the IP address, I can't do it now.  And you could never do it on the public internet.

The host name in the 'hosts' file is a lookup for your computer.  It must match the hostname in the Linux machine.
RayRiderAuthor Commented:
Can someone explain how windows 7 internally stores certificates. I have NOT BEEN SUCCESSFUL in locating even the WEBMIN certificates on the working machine. I don't find them with certmgr.msc, nor see them in the Registry. I don't believe they are specific to Firefox, even though Firefox is said to have them in a database named "cert8.db":  C:\Users\Ray\AppData\Roaming\Thunderbird\Profiles\h41dnn4k.default\cert8.db. I should clarify that it is reported that Firefox can store certificates here, not that all of them are in cert8.db.

I say this because neither Firefox, nor I.E. sees the certificate. There is something common to all browsers in my problem on this problematic machine.

Any suggestions?
Peter HutchisonSenior Network Systems SpecialistCommented:
Certificates are stored on the server providing the service.

When a web browser accesses a secure site, it will read the public certificate from the web server (I believe into memory, so it will not be found on disk anywhere) to confirm the name matches the web site and that the Cert Authority is trusted and is not out of date.

Certificates are only stored on disk if you deliberating save them from the web page and import them from a CRT,CER,PFX etc file.
RayRiderAuthor Commented:
I'm back to this again after some searching and thinking it over. I have come to the conclusion that a fix to this problem is to find a way for my Webmin server at  to "once again" present me with the window that says "This connection is untrusted". If I can every get that message, the exception will be added to the system where ever this configuration information is stored, not the certificate itself, but the logic that decides if one is needed or not.

I understand that the certificate is not stored on the hard drive as Peter Hutchison has explained. And, that the certificate itself is downloaded from the Cert Authority, and that the two keys are checked.

In my Firefox and I.E. browser, I can look at the certificate servers. Where does that information come from? Webmin is NOT using a certificate. That is the reason to declare it "untrusted" and accept the "risk". And when I get to do those steps in accepting the untrusted connection, I get an entry in the Firefox browser's certificate list with IP address of the server running Webmin. No domain name is required as suggested above. I have checked this out on other working browser - Webmin pairs. All have the exception listed as the LAN IP and not a domain, or hostname.

However, this win 7 machine does not have an entry in the browser's security certificate list for either of my two Webmin servers. The browser refuses to allow a manual entry for my "untrusted" Webmin.

A key bit of information leading to a solution, is this fault is indicating the certificate is "invalid", not that it is missing. If I can figure out how to remove any history, Then I believe it will warn me of the "untrusted connection", allowing me to accept the risks. Something has gotten out of sync.
RayRiderAuthor Commented:
I would like to show the brower security certificates from working system. This is a screen capture.Firefox security certificate list
Dave BaldwinFixer of ProblemsCommented:
Webmin is NOT using a certificate.
That is simply wrong.  It is using a 'self-signed' certificate and when you connect the first time it says that.  More info in the middle of the page here:  Note that in all of their examples they are using a host name and not an IP address.

And here is their 'Wiki' page about it with a note that recent versions have changed from a fixed SSL to generating a new key at installation:

I also have similar listings in my Firefox Certificate manager as shown below.  After this last update, I had to switch from IP connections to hostname connections.  The two IP listing have been replaced by the 'davidubu' and the 'dibsubu' connections because the IP connections no longer work.
Firefox Certificates
You're complaining that things are not as they used to and you're probably correct.  Typically software is written to let you continue using older methods (at least for a while) but when you make a new connection or installation, you will be required to use the newest current method.
RayRiderAuthor Commented:
Dave, Some of my conclusions are rooted from having insufficient knowledge on this very complicated subject. Yes, the general flow is understood somewhat. But, I'll never be a security expert, or try to be one when all I wanted to do is connect a tool to my two ubuntu servers which I have been doing for such a long time, and still can from other machines that are similar in versions, etc.

Since you first mentioned using a hostname instead of an IP address, I checked to see that hosts file did contain the hostnames of these two servers. I attempted to connect to them the way you have show above. I still get the same errors.

I have seen some information on the net relating to Webmin using a 512 byte key vs. a 2048. The error is "Error code: sec_error_invalid_key". But, all the time with this problem, I have trying to put human reasoning to this problem as my other win7 desktop and two win7 laptops connect with no problem. However, I am going to have to move on to other thinking regardless the other machines working.

Thanks for the help. I'll keep struggling along, trying other things  I run across. If you can suggest other ideas, please pass them on.
Dave BaldwinFixer of ProblemsCommented:
All I did the last time was use the link that Webmin put up with the hostname and accepted the security exception to get it to connect.  That's what you have to do with self-signed certs.  What version of Webmin are you using?  I have upgraded to the latest version which is 1.710.
Dave BaldwinFixer of ProblemsCommented:
Try connecting to webmin with 'http' and see what it says.  This is what happens when I try that.  It gives the correct link to connect to it.  I would still have to accept the security exception if I had not done that already.
Webmin http IP message
RayRiderAuthor Commented:
I am running Webmin 1.710. I already tried the http instead of the normal https. I get the same message as you did about server running in SSL mode.
RayRiderAuthor Commented:
Referring back to my comment about 512 byte encryption, while I was looking at Webmin from the working desktop, I went to the configuration icon and selected the SSL configuration. This version is already using a 2048 byte key.

I also saw a option to disable SSL. I hate giving up on something, and really would like to find the real problem....but the thought was tempting. LOL
Dave BaldwinFixer of ProblemsCommented:
"the real problem" is that Webmin doesn't want to support SSL/TLS on IP addresses.  Neither does anyone else and on a public web site, you can't use IP addresses with an SSL/TLS certificate.  You are expected to use the domain name that is listed in the certificate.  

This is an IP link to my web site with 'https':  You can take a look at the error message.  While Firefox will let me enter an exception, it appears that Webmin will no longer accept that on a 'new' connection.

Don't be surprised if the machines that are still working with IP addresses stop working that way in the future.  Use the domain name link that it shows you.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
RayRiderAuthor Commented:

I feel privileged that you have "hung in there" with me on this issue. The more I look for a solution, the more I get confused! For example, I followed your link above. Behold, Firefox warns about an "untrusted connection". But, Firefox 33.0 allows me to accept the risk, and I am allowed to proceed to your site. Firefox says it is adding the exception, but it doesn't show up on Firefox's certificate manager. These once did; I have a partial understanding.

Looking closer at the Firefox versions between problematic situation, and the other so called working systems, I discovered that the working systems are running Firefox 32.0.3, NOT 33.0 like this one. Firefox version 32.0.3 is allowing the adding of exceptions to "all" untrusted sites. However Firefox version 33.0 will not allow adding an exception to the Webmin server, but it will allow me to add your server. I am not understanding why the difference, other than a suspicion that Firefox 33.0 thinks the Webmin certificate is "invalid".

Why Firefox 32.0.3 will show the non stored certificates of Webmin, and not show the exception to your site is also a mystery to me.

So, as another test, I downloaded Chrome to the problem machine. Chrome allows me to make the connection to Webmin, after accepting the warnings.

I have concluded that this is a Firefox 33.0 problem, as it thinks the certificate is invalid, but has no feature to manage, or purge it. My solution is to use Chrome to manage Webmin. Or, maybe try to configure Webmin to not use SSL connections.

I will give you all the points and appreciate all the help.
Dave BaldwinFixer of ProblemsCommented:
Thanks, glad to help.  Note that my screen shot above of the Firefox certificates was taken on Firefox 33.0.2.  I just tried the Webmin connection on another computer that had never connected to it and is running Firefox 33.0.2.  It would let me make the exception with either IP address or hostname.  So you may be right about Firefox 33.0 being the problem.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Server Software

From novice to tech pro — start learning today.